The author is a Forbes contributor. The opinions expressed are those of the writer.

Loading ...

Loading ...

This story appears in the {{article.article.magazine.pretty_date}} issue of {{article.article.magazine.pubName}}. Subscribe

In the blink of an eye, the year is almost over. In looking back at what it meant for the cybersecurity industry, 2015 was predictably busy. We saw big acquisitions, including those of EMC by Dell and Websense by Raytheon. Rapid7 and Sophos both went public. Large funding rounds happened almost weekly, with the sector raising more than $2.3 billion in the first nine months.

Cybersecurity spending increased sharply and should cap out at about $75 billion by year’s end, according to leading analyst estimates. While the U.S. House and Senate continued to debate cybersecurity legislation, government agencies amassed a whopping security budget of $12.5 billion, collectively.

There were unforgettable breaches, like Anthem, BlueCross BlueShield and the U.S. Office of Personnel Management, although the biggest headlines went to the Ashley Madison breach. There also were countless daily reports of breaches due to “sophisticated attacks” and resulting losses from companies whose infrastructure -- despite all the spending -- remained woefully vulnerable. Even President Obama stepped into the fray, cementing an agreement with China in the hope of limiting the scope of nation-state hacking.

Are We Doomed To Repeat The Same Mistakes?

Looking back, it’s painfully clear that while we may not have known the names and faces of the victims, or the numbers behind the M&A, funding, budget and breach news, most of this was predictable in 2014. So will it be any different next year, or are we doomed to repeat the past yet again?

Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy.

As co-founder and CTO of Bromium, a cybersecurity solution focused on endpoint threat isolation, I have spoken with hundreds upon hundreds of CSOs and CIOs who recognize that the cybersecurity industry continues to repeat the same mistakes. Unfortunately, even though these CSOs and CIOs recognize the shortcomings of the security industry, their organizations tend to hold them responsible when something goes wrong -- not the vendor.

There are too many “me too” vendors focused on the staple of detection. In the endpoint security sector, for example, over 40 vendors are bringing to market a feature set that Gartner terms “EDR,” or endpoint detection and response, whose sole goal is to help find a breach in progress -- provided you know what to look for in the first place. Despite vendor claims, detection can’t protect you, and it isn’t advancing much, even when disguised as artificial intelligence (AI). In a world of adaptive, intelligent attackers, even the best AI technologies tend to make lots of mistakes. Ponemon estimates that a typical large enterprise spends up to 395 hours per week processing false alerts -- about $1.27 million per year.